1. Field
The disclosure relates generally to an improved data processing system, and more specifically to managing and monitoring continuous improvement in detection of compliance violations. In particular, the disclosure provides a method and system for using compliance violation risk data about an entity to enable an identity management system to dynamically adjust the frequency in which the identity management system performs a compliance check of an identity account associated with the entity.
2. Description of the Related Art
Identity management (IdM) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an organization) and controlling access to resources in that system by placing restrictions or permissions on the established identities of the individuals. An identity manager is a management system which is used to provide centralized management of identity accounts. One example of an identity management system is Tivoli Identity Manager (TIM), which is a product of International Business Machines Corporation. Identity management systems fall within a product category known as GRC (governance, risk management, and compliance) software. Within a GRC product, governance describes the overall management approach through which executives direct and control an organization, risk management describes a set of processes through which management identifies, analyzes, and responds appropriately to risks that might adversely affect realization of the organization's business objectives, and compliance refers to conforming to stated requirements or policies of the organization or other obligations.
An entity in identity management may be a user, a group of users, or a device requesting access to one or more devices, data, or other elements of an organization. An entity may be represented in an identity management system as having one or more identities, or identity accounts. The process of using an identity management system to add identities, along with the entities' credentials and entitlements, in the network or computer systems under the control of the identity management system is called “provisioning”. For example, when a person joins an organization as an employee, information that describes the employee may be provisioned into various components of the organization, such as a human resource system, an email system, a payroll system, a finance system, application directories, and so on. It is from these components that additional information that describes the employee's entitlements or rights to access resources within the organization is created by the identity management system. For example, the identity management system may use the employee's job title (e.g., accountant) to provide membership within a particular group (e.g., payroll). Similarly, the identity management system may also enforce a policy to prevent non-finance employees from being provisioned for membership within the payroll group.
The process of auditing the provisioning of the identity management system and verifying the validity of identity accounts is called a “reconciliation”. In the reconciliation process, a compliance check is performed to verify that the identity accounts contain the restrictions and permissions defined in the policy and that the identity accounts match to appropriate end users and retire accounts that no longer do (e.g., where a user has left the organization), thereby ensuring that entitlements are appropriately provisioned to an identity account based on policies of the company. For example, a security policy may specify that only persons in the information technology (IT) department may have Microsoft® Active Directory identity accounts in an “administrators” group. When the reconciliation is run and the compliance check is performed, any accounts for persons outside the IT department will be flagged as security violations and the reconciliation process will optionally bring the account back into compliance by removing the administrator group from the account, flag the account as non-compliant with the policy, or disable the account.